Posts

Significant and negatively impactful data breaches in the healthcare industry have happened for a long time. Back in 2015, Anthem suffered a massive data breach that led to as many as 80 million people having their information stolen. In 2019, third-party billings and collection agency, American Medical Collection Agency (AMCA), suffered a data breach that affected over 24 million people and 20 healthcare entities. That included Quest Diagnostics, who had 11.9 million patients impacted. More recent healthcare data breaches include Florida Orthopaedic Institute, University of Utah Health and PaperlessPay.

What Does it Mean to You?

Data breaches in the healthcare industry continue to happen because of the availability of both personally identifiable information (PII) and personal health information (PHI) available to bad actors. Hackers can do a lot of damage with access to sensitive PHI and PII, like Social Security numbers, health insurance numbers, drivers licenses or identification numbers, medication lists, conditions, diagnoses and financial information. Fraudsters can submit use this data to file fraudulent health insurance claims, apply for medical care and prescription medications, use the information on billing and much more.

According to the Protenus 2020 Breach Barometer, in 2019,  data breaches in the healthcare industry continued to be a problem, involving sensitive patient information, with public reports of hacking jumping 48.6 percent from 2018. The 2020 IBM Report on the average cost of a data breach reported that the most expensive attacks in 2019 occurred in the healthcare sector. According to the Identity Theft Resource Center’s (ITRC) 2019 Data Breach Report, there were 525 medical and healthcare data breaches in 2019, exposing over 39 million sensitive records. The medical and healthcare sector had the second-highest number of breaches and sensitive records exposed of all the sectors the ITRC tracks.

What Can You Do?

Data breaches in the healthcare industry will continue to happen because of the troves of information. However, there are things consumers can do to reduce their risk.

  • Victims should change their username and password for their affected healthcare account
  • Consumers should also change their username and password on any other accounts that have the same username or password as their healthcare account
  • Depending on what piece of PHI is exposed, victims should contact the affected healthcare provider to see what steps need to be taken

Victims of a data breach in the health care industry can call the ITRC toll-free at 888.400.5530 for more information on the next steps they need to take. They can also live-chat with an ITRC expert advisor.

Victims are also encouraged to download the free ID Theft Help app. The app has tools for data breach victims, including a case log to track all of their steps taken, access to helpful resources during the resolution process, instant access to an advisor and much more.


Read more…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, and in this week’s Weekly Breach Breakdown, the Identity Theft Resource Center (ITRC) highlights a handful of data compromises that could leave a big impact on businesses and consumers. The ITRC has been tracking publicly-notified U.S. data breaches since 2005 to look for patterns, new trends and any information that could better help educate on the need for understanding the value of protecting personally identifiable information (PII). Some of the data compromises highlighted this week include CVS, Walgreens and Walmart pharmacy data breaches with a unique twist; an athlete recruiting tool; and one state’s taxpayer system. All of these breaches have one thing in common: they are relatively small data events that can still leave a lasting impact.

CVS, Walgreens and Walmart Pharmacy Data Breaches

Three well-known companies suffered from individual pharmacy data breaches. It wasn’t a cyberattack or failure to secure their electronic records; instead, some of their stored health information was physically stolen, leaving the potential for a serious impact on the individuals whose information was exposed. During recent protests in several cities, pharmacies owned by Walmart, Walgreens and CVS were looted. Paper files and computer equipment containing customer information was taken from individual stores, not the companies at-large. The missing information included prescriptions, consent forms, birth dates, addresses, medications and physician information. All three companies affected by the pharmacy data breaches notified impacted patients, but only CVS released the number of customers involved – 21,289.

Front Rush Data Compromise

The next data compromise includes student-athlete recruiting tool, Front Rush. Front Rush recently notified 61,000 athletes and coaches that their information was open to the internet due to a misconfigured cloud database for four years. In a notice to individuals impacted, Front Rush acknowledged that they could not tell if anyone accessed or removed any PII while it was exposed to the web from 2016-2020. Some of the personal information in the database included: Social Security numbers, Driver’s Licenses, student IDs, passports, financial accounts, credit card information, birth certificates and health insurance information.

The Vermont Department of Taxes Data Compromise

The state of Vermont recently notified more than 70,000 taxpayers that the online credentials they used to file certain types of tax forms had been exposed on the internet since 2017. State officials say they lacked the tools to tell if the information was downloaded from their systems by threat actors, but they believe the risk of an identity crime is low. However, the State Department of Taxes is recommending taxpayers take precautions like monitoring bank and credit accounts, reviewing credit reports and reporting any suspicious activity to local law enforcement.

What it Means

Stolen credentials like logins and passwords, like the information breached in Vermont, are currently the number one cause of data breaches, according to IBM. However, that is tied with misconfigured cloud security that leads to data being exposed to the web, as in Front Rush. Misconfigured cloud security generally means that someone forgot to set up a password or other security tool when they configured the database. Stolen physical records and devices ranks five out of ten on the attack scale for the most common attack vectors.

For more information about the latest data breaches, subscribe to the ITRC’s data breach newsletter.

NotifiedTM

Keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches later this month.

If someone believes they are the victim of identity theft or their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more. Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


 You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

Hacked Dating Apps are a Popular Target for Social Engineering Scams

Another week has gone by, and there are new data compromises for the Identity Theft Resource Center (ITRC) to educate businesses and consumers on. Since 2005, the ITRC has tracked publicly-notified U.S. data breaches and has tracked over 10,000 breaches since then; more recently, using 25 different information fields and 63 different identity attributes that are updated daily. On last week’s Weekly Breach Breakdown, we talked about the market price for consumer data in the dark corners of the internet where identities are bought and sold. This week, we are looking at the average cost of a data breach exposed to the public. We will also talk about the latest data breaches that reflect the trends in the new research. 

The 15th IBM Report on the average cost of a data breach was recently released, conducted by the Ponemon Institute. Reflecting some of the same trends the ITRC has reported, the IBM study shows that the global average cost of a data breach has dropped to $3.8 million – with the average being defined as a breach of 100,000 records or less. That is a drop of nearly a half-million dollars.

However, when you focus on the U.S. alone, the average cost of a data breach has gone up almost the same amount to an average of roughly $8.6 million. That continues the long-term trend of costs steadily increasing beyond the rate of inflation since 2005.

In regards to the calculation of the cost, costs include the following:

  • The actions required to detect and respond to a data breach
  • The costs of notifying the people whose information was stolen
  • Lost revenue and the costs of marketing and sales activities required to regain consumer trust lost as a result of the data breach
  • Legal fees, fines and settlement costs
  • Increased customer care support

Lost revenue is the single largest component at 40 percent of all breach-related costs. With all of that said, what is not included are the expenses associated with fixing the problem that caused the breach in the first place, and the changes needed to ensure it does not happen again. While it stands to reason that the bigger the breach, the bigger the costs, they are exceptionally bigger – 100 times bigger – if the number of records compromised is over one million records. If a data breach of 100,000 U.S. records costs $6.8 million, a one million record event could cost close to $900 million.

According to the IBM report, the number one cause for data breaches in 2020 at 19 percent is lost and stolen credentials – logins and passwords – which is also tied with misconfigured cloud environments. In other words, someone forgot to add the password to the cloud account, leaving information exposed on the web for anyone to see. Unpatched software accounts were in third place at a little over 15 percent, while malicious employees accounted for only seven percent of breaches reviewed by the Ponemon Institute. It is also worth noting that some security and human resource experts believe the number of attacks will only go up if pandemic-related layoffs increase.

Other key findings from the 2020 IBM Report regarding the average cost of a data breach include: 

  • 53 percent of the attacks in the 2020 report was financially motivated
  • The most expensive attacks occurred in the healthcare sector 
  • The average length of time between when a malicious attack starts and ends is 315 days – 10 and half months
  • Threat actors want consumer information – especially logins and passwords – more than any other data (80 percent of the time.) However, that is not the only data they want. Nearly a third of breaches in the IBM study were thefts of company intellectual property. 

Looking back at the top breaches this past week, Nintendo, the company that gave us Donkey Kong Mario Brothers, was the victim of a cyberattack where thieves dumped a large amount of data onto the web. While there was no personal information exposed, screenshots and prototypes of games were posted online. The Nintendo data breach reflects the IMB report’s findings that company intellectual property is also a target for cybercriminals. Intellectual property theft can have a significant impact on a company’s business performance.

A recent Garmin ransomware attack shut down customer access to multiple products and services, as well as manufacturing. It took Garmin, which makes GPS devices and fitness trackers, nearly a week to publicly acknowledge the attack, and services are still in the process of being restored. According to Garmin, no consumer information was compromised, and the ransomware involved is not known to steal data. Rather, the ransomware used in the Garmin ransomware attack is known just to hold data hostage.

Finally, there’s Drizly, the popular service for ordering adult beverages for delivery. The company was hacked, and information from an estimated 2.5 million accounts was placed into the dark web’s identity marketplaces. According to Drizly, no payment information or other sensitive customer data was breached. However, the cybercriminals say otherwise and are selling the stolen data for $14 per account. That makes all of the information worth at least $35 million.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Also, keep an eye out for the ITRC’s new data breach tracker NotifiedTM. It is updated daily and free to consumers. Businesses that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the ITRC’s three paid subscriptions. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are the victim of identity theft or believes their information has been compromised in a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


You might also like…

Being Able to Identify a Phishing Attack is More Important Now Than Ever

Netflix Email Phishing Scam Could Steal Credit Card Information

EDP Ransomware Attack and Twitter Data Breach Put a Price Tag on People’s Personal Information

Another week has gone by, a week full of interesting publicly-reported U.S. data compromises. This week on the Identity Theft Resource Center’s Weekly Breach Breakdown podcast, we are focusing on cyberattacks and data breaches that help us put a price tag on people’s personal information – including EDP Renewables’ ransomware attack, a Twitter data breach that exposed Slack user information and much more.

In the 1980s, hacking started to become a thing. For the most part, hackers were young, smart and motivated by the challenge of breaking into the phone company or the Pentagon. As the ITRC’s COO and podcast host James Lee says, “the payout was street credibility.” Today, hackers are known as threat actors, and they are looking to steal people’s personal information simply because they are motivated by greed. Stealing someone’s personal information is not so much about breaking into someone’s bank account as it is stealing users’ login and passwords from a company to dupe them into paying a fake invoice (from said company) or infecting a company’s systems with ransomware.

Earlier this year, security research firm SentinelOne estimated that ransomware cost U.S. companies $7.5 billion in 2019. That number is expected to increase because the average ransom paid is going up. According to Security Boulevard, in six months between October 2019 and March 2020, the average ransom payment went from $44,000 to more than $110,000 an attack.

Originally, data thieves were content with just locking up a company’s files and walking away if they did not get paid or releasing the files back to the company if they did. Now, however, cybercriminals specializing in ransomware are using more sophisticated attack software and bolder tactics. Attackers are downloading sensitive personal information before they notify their victims instead of just sending a ransom note after locking files, turning a basic cyber hold-up into a classic data breach.

This past week, EDP Renewables, a European energy company that serves 11 million customers in the U.S., confirmed they were the target of a ransomware attack with a $14 million price-tag. Customer information was breached as part of the attack. In ransomware attacks, like EDP Renewables, the stolen information is used as leverage to force companies to pay the attackers. EDP Renewables did not pay. The demands like the one in the EDP Renewables ransomware attack make it easy to calculate the value cybercriminals put on identity information.

Another way to tell the value of personal information is to look at the price data commands in one of the Dark Web’s illicit marketplaces – where stolen information and identities are commerce. Earlier in July, data thieves posted a database of customer information from Live Auctioneers, an auction website that allows people worldwide to bid on auctioned items in real-time. The complete set of 3.4 million records are for sale starting at $2,500.

However, not all data is as valuable as other pieces of information. For example, a credit or debit card could be worth as much as $11 or as little as $1. Workspace tool Slack is learning their user information is not as valuable to data thieves, at least right now. A recent Twitter data breach exposed Slack user information. According to security researchers at KELA Group, 17,000 Slack credentials from 12,000 company workspaces are for sale on the dark web for a little as $0.50 and as much as $300. Despite the cheap low rate, no one is taking advantage of the Slack data from the Twitter data breach – posts offering the Slack credentials are nearly a year old. The reasons why cybercriminals are interested in some data and not interested in other data can vary. However, right now, data thieves are not interested in the Slack user information; because as popular as Slack is with users and Wall Street, Slack channels are rarely filled with the kinds of information cybercriminals want.

For more information about the latest data breaches, people can subscribe to the ITRC’s data breach newsletter. Keep an eye out for the ITRC’s new data breach tool, NotifiedTM. It’s updated daily and free for consumers. Businesses that need access to comprehensive breach information for business planning or due diligence can subscribe to unlock as many as 90 data points through one of three paid tiers. Subscriptions help ensure the ITRC’s free identity crime services stay free. Notified launches in August.

If someone believes they are a victim of identity theft or have been impacted by a data breach, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also use live-chat. Finally, victims of a data breach can download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.

You might also like…

Twitter Hack Serves as a Reminder of How Manipulative Bitcoin Scams Can Be

Cyber-Hygiene Tips to Keep Consumers Safe

USS Bonhomme Richard Charitable Giving Scam

Each year, about half of U.S. taxpayers rely on a tax preparer and a tax preparation service to help them file their required tax returns. These professionals offer a wide array of options, from a very simple franchise that plugs in the numbers on the consumer’s behalf to certified public accountants that know the ins and outs of the entire U.S. tax code. From accounting firms to walk-in services like H&R Block, TurboTax/Intuit, Credit Karma or Jackson Hewitt, these tax preparation services often have one major similarity: they are a hot target for hackers and identity thieves.

Trusting an outsider with highly-sensitive personal data is not something that people should take lightly. Having a professional take responsibility for the paperwork, helping to navigate the annual changes to tax laws and even assisting in the event of an IRS audit are all reason enough to pay someone to take care of the filing. However, the sheer volume of personally identifiable information (PII) that a tax preparer must collect and store means there are literal treasure troves of identities waiting to be compromised by a malicious actor.

There are plenty of ways that stolen PII from a tax preparation service can benefit a hacker. First, accessing a stolen return not only means the hacker can file the return for themselves and steal any refunds the consumer was expecting, it also means having the ability to file a fraudulent return every year. Hackers can cause even more harm with information gleaned from a tax preparer’s computer; credential stuffing is another major concern, as the complete information they might steal can be used to access the victim’s other accounts.

There are some important steps that consumers can take to protect themselves when using a tax preparation service. First, people should only choose a professional tax preparer who has a valid IRS Preparer Tax Identification Number (PTIN), but also understand that there are many different services, ability-levels and offerings that a professional can provide. It is also important for a consumer to find out what the preparer’s credentials are—such as having an accounting degree or being a member of a professional organization—before signing on to work with them. Consumers should not hesitate to ask what information the preparer will be able to access, how that information will be stored and for how long, who will be able to access that information and other related questions. There have been many situations where tax preparation services and professionals have been the target of malicious actors and understanding how they are going to safeguard information is just as important as their capabilities.

More guidelines from the IRS are available, but consumers are also cautioned to begin using a nine to ten character passphrase in place of the traditional eight-character password. A passphrase is longer and easier to remember, which makes it both harder for fraudsters to guess and more likely that consumers will deploy a different passphrase for each account.

If someone falls victim to identity theft from a data breach, they can live-chat with an Identity Theft Resource Center expert advisor through the organization’s website, as well as call toll-free at 888.400.5530 for an action plan that is customized to their needs. The free ID Theft Help App for iOS and Android also provides a number of resources for consumers to use in the event of a data breach or suspected identity theft.


You might also like…

Stalker Data Breach Leads to Sale of Users’ Credentials

Non-Traditional Data Compromises Make Up the Latest Week of Breaches

Mystery Shopper Scams Surface During COVID-19

A recent Google Alert scam has caught the attention of many. Google Alerts recently caught fraudsters trying to push fake data breach notifications for big-name companies in an effort to distribute malware and damage people’s computer networks. According to Bleeping Computer, fraudsters have been mixing black-hat SEO, Google sites and spam pages to direct users to dangerous locations based on data breach information.

Google Alerts is designed to send notifications to people who sign up for specific keywords monitoring and provide search results. As part of this Google Alert scam, fraudsters were able to create pages and use compromising websites to combine “data breach” with well-known brands. Bleeping Computer reports that some of those well-known brands include Chegg, Canva, EA, Dropbox, Hulu, Shein, Ceridian, PayPalTarget, Hautelook, Mojang, InterContinental Hotel Group and Houzz.

In the Google Alerts, fraudsters offer giveaways and download offers, which leads to the dangerous malware. The threat actors are also believed to have used the Google Sites tool to build webpages to host their content. Bleeping Computer says they found that the scammers were pushing unwanted search-related extensions. As part of the Google Alert scam, malicious links were also believed to be sent to people with an iPhone 11 device for a fake giveaway. It claimed to be set up by Google as part of a “Membership Rewards Program” and the offer said the gift was “exclusively and only for Verizon Fios users.” Users had to fill out a survey, allowing scammers to get their money. Browser extension scams can pose a risk to browsing privacy because malware can be used as part of this method.

Consumers who use Google Alerts should be aware of this particular scam; going directly to the source (the purported breached entity) instead of clicking on an unknown link. The Identity Theft Resource Center has been tracking publicly-notified data breaches since 2005 and has the most comprehensive and the most readily available data breach information for publicly-notified breaches. For any consumer that wants to fact check about the latest information regarding a publicly reported breach is encouraged to access our resources to confirm any new circumstances. Consumers can sign up for the monthly data breach newsletter, as well as view monthly and yearly data breach reports. They can also receive a “risk score” on what their true concerns should be by visiting Breach Clarity and entering the particular breach on which they would like information. Anyone who believes they might have fallen victim to a Google Alert scam can live-chat with an ITRC expert advisor, or can call toll-free at 888.400.5530. They can also download the free ID Theft Help App. The app will provide consumers and victims access to advisors, resources, a case log to track their steps and much more.


You might also like…

YEARS OF FORMJACKING LEADS TO BOMBAS DATA BREACH

WATCH OUT FOR 2020 SUMMER SCAMS

CREDIT REPORTING AGENCIES ANNOUNCE FREE CREDIT REPORTS EVERY WEEK THROUGH 2021

A recent data breach of Verifications.io, a company that approves or verifies email addresses for third-parties, exposed 763 million consumer records. Verifications.io ensures third-parties’ email marketing campaigns are being sent out to verified accounts, and not just fake emails. The unsecured database discovered online by two security researchers did not contain things like passwords or Social Security numbers; however, it did contain an assortment of data points like mortgage amounts, interest rates on loans and social media email logins, along with identifiers like gender and birthdate.

There have been almost 7.7 billion compromised accounts since data breach tracking began in 2013. The total number of compromised data sets listed on Have I Been Pwned?, a security website that lets users see if their identifying information has been exposed, now exceeds the total number of people on Earth.

The real question that the researchers and Troy Hunt, founder of Have I Been Pwned?, want to know is how Verifications.io got its hands on all of this information in the first place. The Estonian-based company has refused to respond to questions from different news outlets and has taken down its entire website as of March 4, 2019. In fact, Hunt has publicly asked for the data breach victims’ help via Twitter. What are you supposed to do when the company that comes under attack had your information without your direct permission? If you can identify your email address compromised in the data breach and used it uniquely (i.e. for one service), researchers are asking that you contact them so they can try to track the path of data sharing.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft